For use with McAfee ePolicy Orchestrator - … Important advice to protect your computer system,...

Product Guide

McAfee Data Exchange Layer 3.1.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Data Exchange Layer 3.1.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

DXL Cloud Databus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Intel Software Guard Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Installing Data Exchange Layer 11System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Data Exchange Layer network overview . . . . . . . . . . . . . . . . . . . . . . . . . 12Install DXL 3.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Install the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Check in the DXL packages . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Install the DXL brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Deploy the Data Exchange Layer client . . . . . . . . . . . . . . . . . . . . . . 18Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Troubleshooting the installation . . . . . . . . . . . . . . . . . . . . . . . . . 19

Upgrade to DXL 3.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Upgrade the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Check in the DXL packages . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade the DXL broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Verify the DXL broker upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 22Upgrade the DXL client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Verify the DXL client upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 Managing Data Exchange Layer 25Working with brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configure DXL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configure brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Add brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Add brokers to a DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

The DXL fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28View the DXL fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Bridging Data Exchange Layer fabrics . . . . . . . . . . . . . . . . . . . . . . . . . 28Create an outgoing bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create an incoming bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Working with certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Importing client certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 31Migrating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Data Exchange Layer certificate authorization . . . . . . . . . . . . . . . . . . . 33

Creating DXL queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

McAfee Data Exchange Layer 3.1.0 Product Guide 3

DXL server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Index 35

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Introduction

The McAfee®

Data Exchange Layer (DXL) framework includes client software and brokers that allowbidirectional communication between endpoints on a network. It receives and sends encryptedmessages throughout your environment to track activity, risks, and threats in real time.

OverviewDXL works in the background, communicating with services, databases, endpoints, and applications.

The DXL client is installed on each managed endpoint, so that threat information can be sharedimmediately with all other services and devices.

A blocked threat attempt that reveals malware on an endpoint can be shared immediately to thegateway and other security components, isolating and stopping the threat before it spreads. You canview threat events that were discovered and stopped, so that you get a picture of your environment'ssecurity and possible areas of vulnerabilities.

DXL has these components:

• Brokers — Installed on managed systems and routes messages between connected clients. Anexample of a connected client is the Threat Intelligence Exchange module. The network of brokerstracks active consumers and dynamically adjusts the message routing as needed. When a clientrequests a service, or when an update is broadcast, brokers relay these messages. Brokers can beorganized into hubs and service zones.

DXL clients maintain a persistent connection to their brokers regardless of their location. Even if amanaged endpoint running the DXL client is behind a NAT (network address translation) boundary,it can receive updated threat information from its broker located outside the NAT.

• DXL Fabric — Consists of DXL clients and brokers. You can bridge DXL fabrics that are managedby different McAfee® ePolicy Orchestrator® (McAfee® ePO™) servers to share services across fabrics.

• Hubs — Contain one or two brokers and provide failover protection in a multi-broker environment.If a hub has two brokers, both act simultaneously. If one is unavailable, the other continues tofunction.

• Clients — Clients receive and process messages from the brokers. An example of a client is theThreat Intelligence Exchange module. Clients subscribe and publish to the fabric without API-basedintegration.

• Service zones — A service zone is associated with brokers and hubs and routes requests fromclients. Service zones ensure that services are supplied by local resources. In the followingexample, service zones are organized into locations. When the TIE client sends a file or certificatereputation request, it attempts to find a TIE server in the Portland service zone first. If a server isnot available in that zone, it looks in the North America service zone, because the Portland hub ispart of the North America zone. Without specifying service zones, requests might be sent to theEurope or London hub first.

1


After installing the DXL brokers and client software, you create the hubs and zones for the brokers inyour environment. You can also bridge hubs and brokers managed by different instances of McAfeeePO so that the brokers can communicate information over the fabric.

DXL Cloud DatabusThe DXL Cloud Databus facilitates the connection of on-premise McAfee ePO servers with McAfeeCloud Bridge, which provides cloud storage and services.

DXL brokers can be configured using the DXL Broker Management Extension to send data via the DXLCloud Databus to the Cloud Bridge to support products that use this component.

For example, McAfee Active Response clients send trace data from managed endpoints via DXL andthe DXL Cloud Databus to the McAfee Cloud Bridge. The trace data on the Cloud Bridge is then madeavailable to an on-premise instance of Active Response where an endpoint administrator analyzes thedata, identifies issues, and remediates threats.

The DXL Cloud Databus is configured in the DXL Cloud Database Server Settings, and brokerextensions are enabled in the DXL Topology Server Settings.

Intel Software Guard ExtensionsData Exchange Layer supports Intel® Software Guard Extensions (SGX), an architecture extensiondesigned to increase the security of software using an "inverse sandbox" mechanism.

Rather than attempting to identify and isolate all the malware on the platform, SGX enables legitimatesoftware to be sealed inside an enclave and protected from attack by the malware, irrespective of themalware's privilege level. SGX is installed and enabled with the DXL client on machines that areSGX-capable.

1 IntroductionOverview


For more details about SGX, see Intel Software Guard Extensions.

IntroductionOverview 1


https://software.intel.com/en-us/isa-extensions/intel-sgx

1 IntroductionOverview


2 Installing Data Exchange Layer

Install the DXL client and brokers for the first time, or upgrade DXL from a previous version.

Contents System requirements Data Exchange Layer network overview Install DXL 3.1.0 Upgrade to DXL 3.1.0

System requirementsMake sure that your system environment meets these requirements and that you have administratorrights.

Component Products Version

VMware vSphere ESXi 5.1 or later

McAfee ePO 5.1.1 or later

McAfee ePO product extensions and packages(checked in)

McAfee® Agent 5.0.0 or later

McAfee Agent extension 5.0.0 or later

Products installed on each of your managedsystems

McAfee Agent 5.0.0 or later

Operating system

You can install the Data Exchange Layer client on the following operating systems.

Microsoft Windows Windows 7 (32-bit and 64-bit), Windows Embedded 7

Windows 8.0 (32-bit and 64-bit), Windows Embedded 8

Windows 8.1 (32-bit and 64-bit)

Windows 8.1U1/U2 (32-bit and 64-bit)

Windows 10 (32-bit and 64-bit)



Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Linux operating systems 32/64-bit Red Hat 6.x or later

2


32/64-bit CentOS 6.x or later

32/64-bit Debian 7.x or later

32/64-bit Ubuntu 12.x or later

Macintosh operating systems OS X

Standalone DXL broker

System requirements for a standalone DXL broker installation are:

Recommended

• 4 cores

• 8 GB RAM

• 20 GB Hard Disk

Minimum

• 2 cores

• 4 GB RAM

• 20 GB Hard Disk

Data Exchange Layer network overviewThe Data Exchange Layer framework uses these network protocols and ports.

Make sure these ports are open and available for use with DXL.

2 Installing Data Exchange LayerData Exchange Layer network overview


Install DXL 3.1.0Follow these tasks if you are installing the DXL client and brokers for the first time on a system.

Tasks• Install the extensions on page 14

Install the Data Exchange Layer extensions in the McAfee ePO server.

• Check in the DXL packages on page 14Check in the Data Exchange Layer packages to the Master Repository on the McAfee ePOserver.

• Install the DXL brokers on page 14Download the DXL software, then install and configure the DXL brokers using VMwarevSphere (.ova or .iso file) or on a Linux system.

• Deploy the Data Exchange Layer client on page 18Deploy the DXL client to each of your managed systems.

• Verify the installation on page 18After you complete the DXL broker appliance pages in VMware, verify that the installationwas successful.

• Troubleshooting the installation on page 19McAfee provides log files and scripts that can help you resolve common issues that mightoccur during installation.

Installing Data Exchange LayerInstall DXL 3.1.0 2


Install the extensionsInstall the Data Exchange Layer extensions in the McAfee ePO server.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Select Menu | Software | Extensions.

2 Click Install Extension and install the extensions in the following order.

a DXL Broker Management

b DXL Client

c DXL Client Management

Check in the DXL packagesCheck in the Data Exchange Layer packages to the Master Repository on the McAfee ePO server.


1 Select Menu | Master Repository, then click Check In Package.

2 Check in these DXL packages:

• DXL Client

• DXL Broker

• DXL Platform

Install the DXL brokersDownload the DXL software, then install and configure the DXL brokers using VMware vSphere (.ovaor .iso file) or on a Linux system.

Tasks• Download the DXL software on page 14

Download the DXL software manually from the McAfee product download website, or usethe McAfee Software Manager.

• Install DXL brokers on page 15Install and configure the DXL brokers. You can install on a VMware system, or on a Linuxsystem.

Download the DXL softwareDownload the DXL software manually from the McAfee product download website, or use the McAfeeSoftware Manager.

2 Installing Data Exchange LayerInstall DXL 3.1.0



• Use one of these methods to download and install the DXL software:

• In the Software Manager, click McAfee Data Exchange Layer <version>, then check in the DXL Bundlecomponent. This automatically downloads and installs all necessary DXL extensions andpackages.

• To install manually, download the McAfee Data Exchange Layer files from the McAfee productdownload website. Then check in the Data Exchange Layer extensions and packages to McAfeeePO.

The broker appliance is installed using VMware vSphere (.ova file) or by running the DXL broker file(.iso file). Download one of the broker appliance files and save it locally before continuing.

Install DXL brokersInstall and configure the DXL brokers. You can install on a VMware system, or on a Linux system.

Tasks• Install using VMware on page 15

Install DXL brokers on a VMware system.

• Install on a Linux system on page 16You can install and deploy a DXL broker on a Linux system.

Install using VMwareInstall DXL brokers on a VMware system.

Before you beginThe DXL appliance is available on the Software Manager and the McAfee download site.There are two options, an OVA and an ISO. Both are packaged as a .zip file and must beextracted before installing.

Task1 Depending on which appliance option you downloaded, do one of the following:

• If you downloaded the DXL broker ISO component, use the .iso file to install the appliance on asupported platform.

• If you downloaded the DXL broker OVA component, open the VMware vSphere client, then clickFile | Deploy OVF Template. Browse to and select the DXL .ova file on your computer. Click Next andcomplete the steps in the wizard, then turn on the virtual machine and open a Console window.

2 Install and configure the DXL broker appliance.

a Read and accept the license agreement. You can press Enter to view each page, or skip to thelast page.

b Create a root password for the appliance. The password must be at least nine characters.

c Enter the operational account name, real name, and password, using the Tab key to move tothe next field. When finished, press Y to continue.

The account name is typically something like jsmith and is used to log on to and administer theappliance. The real name is your full name, for example, John Smith.

d On the Network Selection page, enter N to continue.



e Select a configuration type, then enter Y to continue.

• DHCP — Enter D.

• Manual IP address — Enter M, then enter the remaining information.

f Enter the host name and domain name of the computer where you are installing the appliance.Enter Y to continue.

g Enter up to three Network Time Protocol servers to synchronize the time of the appliance. Usethe default server listed, or enter the address for up to three servers. Enter Y to continue.

h Enter the IP address or fully qualified domain name, port, and account information for yourMcAfee ePO server. The user account must have administrator rights. Enter Y to continue.

i Open a web browser and navigate to McAfee ePO and verify that the McAfee ePO servercertificate's Common Name (CN) and fingerprint matches the information shown. How to verifycertificates depends on your browser. For most browsers, clicking the Lock icon in the addressbar allows you to view certificate details.

j Specify the port that DXL uses. Use the default port, or enter a port number within the rangeshown, then enter Y to continue.

k When the logon screen appears, close it.

3 Log on to McAfee ePO as an administrator and verify that there is a DXL broker listed in the SystemTree.

See Verify the installation for additional information about making sure that the DXL broker installedsuccessfully.

Install on a Linux systemYou can install and deploy a DXL broker on a Linux system.

Before you beginThe Linux system must be managed by McAfee ePO and include McAfee Agent version5.0.4 or later. Ensure that all needed communication ports are open through the localfirewall. See the McAfee Agent Product Guide for details.

You can install and deploy a broker on systems running these Linux versions:

• 64-bit Red Hat Enterprise Linux 6.x

• 64-bit Red Hat Enterprise Linux 7.x

• 64-bit CentOS 6.x

• 64-bit CentOS 7.x


1 In McAfee ePO, select Menu | Software | Product Deployment, then click New Deployment.

2 Complete the new deployment information, then start the deployment.



3 After the deployment task completes, configure the broker.

a To use a communication port other than the default 8883, update the DXL broker configurationfile /opt/McAfee/dxlbroker/conf/dxlbroker.conf. Change the listenPort setting.

# The broker listen portlistenPort=8883

b Update the firewall to allow communication on the broker port with the following commands,replacing <listenPort> with the correct port.

iptables (Red Hat Enterprise Linux 6.x / CentOS 6.x):

iptables -N DXLBROKER iptables -I INPUT -j DXLBROKER iptables -A DXLBROKER -p tcp -m tcp --dport <listenPort> -j ACCEPT service iptables save ip6tables -N DXLBROKER ip6tables -I INPUT -j DXLBROKER ip6tables -A DXLBROKER -p tcp -m tcp --dport <listenPort> -j ACCEPTservice ip6tables save

firewalld (Red Hat Enterprise Linux 7.x / CentOS 7.x):

firewall-cmd --zone=public --permanent --add-port=<listenPort>/tcp firewall-cmd --reload

c Create a broker-specific sysctl.conf file to increase the maximum number of trackedconnections.

$> mkdir -p /etc/sysctl.d$> cat > /etc/sysctl.d/dxlbroker-sysctl.conf <<EOF# DXL Broker sysctl settings#

net.ipv4.netfilter.ip_conntrack_max = 196608net.netfilter.nf_conntrack_max = 196608net.nf_conntrack_max = 196608

# End of fileEOF$> sysctl -e -p /etc/sysctl.d/dxlbroker-sysctl.conf

d Create a broker-specific limits.conf file to increase the maximum number of File Descriptors.

$> mkdir -p /etc/security/limits.d$> cat > /etc/security/limits.d/dxlbroker-limits.conf <<EOF# DXL Broker limitsmfedxl soft nofile 262144mfedxl hard nofile 262144

# End of fileEOF

e Restart the DXL Broker service.

$> service dxlbroker restart

Log files for installing and deploying brokers on a Linux system are available to help withtroubleshooting:

/var/log/dxlbroker <version_number> <build_number>.log

/var/log/dxlbroker‑uninstall.log



Deploy the Data Exchange Layer clientDeploy the DXL client to each of your managed systems.

Before you beginIf deploying the DXL client on a supported Linux 64-bit system, perform these steps on thesystem before deploying:

• On CentOS and Red Hat systems, enter sudo yum install glibc.i686 libstdc++.i686

• On Debian and Ubuntu systems, enter sudo apt-get install lib32stdc++6


1 In McAfee ePO, select Menu | Software | Product Deployment, then click New Deployment.

2 Complete the new deployment information, then start the deployment.

For details about deploying software in McAfee ePO, see the McAfee ePolicy Orchestrator ProductGuide.

Verify the installationAfter you complete the DXL broker appliance pages in VMware, verify that the installation wassuccessful.


1 On the System Tree main page, verify that the broker is listed and tagged as DXLBROKER.

If the broker is not tagged as DXLBROKER, run the Manage DXL Brokers server task.

2 In the System Tree, select the DXL broker name, then click the Products tab. Verify that the DXLbroker and version are listed.

a If the DXL broker and version are not listed, click Wake Up Agents.

b On the Wake Up McAfee Agent page, select Force complete policy and task update, then click OK.

It might take a few minutes for the broker properties to be sent to the appliance.

When the installation is successful, the installed brokers are tagged as DXLBROKER and the correctDXL version is displayed in the Products tab. You can also click the McAfee shield icon in the Windowstaskbar and look for the McAfee Data Exchange Layer heading to see if the broker is connected.

Tasks• Verify status of Intel Software Guard Extensions on page 19

The Intel Software Guard Extensions (SGX) is installed and enabled with the DXL client.



Verify status of Intel Software Guard ExtensionsThe Intel Software Guard Extensions (SGX) is installed and enabled with the DXL client.

SGX is installed only on SGX-capable machines running a Windows operating system. You can verifywhether a machine is SGX-capable, and if so, whether SGX is enabled.

• To see if SGX is installed on a particular machine, open the Windows Control Panel on that machineand in the Programs and Features list, look for Intel Software Guard Extensions Platform Software.

• To see if SGX is enabled or disabled on a particular DXL client system, in the McAfee ePO SystemTree, select the system where the DXL client is installed, then click the Products tab. The SGX sectionshows whether the system is SGX-capable, and whether SGX is enabled.

Troubleshooting the installationMcAfee provides log files and scripts that can help you resolve common issues that might occur duringinstallation.

Accessing log files

To troubleshoot installation problems, view the log files. Have these files available if you contacttechnical support.

/var/log/dxlbroker‑<version_number>‑<build_number>.log

/var/log/DXLPlatform‑<version_number>‑<build_number>.log

Reconfiguring the installation using scripts

You can use scripts to reconfigure the DXL brokers and the McAfee Agent. The scripts are located inthe /home/<username> directory. They must be executed with sudo permissions, for example, sudo /home/myname/reconfig‑dxl.

Script name Description Reboot?

change-hostname Changes the host name of the current DXL broker appliance. Itrestarts the McAfee Agent and the broker.

Recommended

change-services Enables or disables the DXL broker.

If the broker was initially disabled during first boot, the scriptprompts for broker configuration information.

No

reconfig-dxl Reconfigures the DXL port. No

reconfig-ma Reconfigures the McAfee Agent.

The agent and DXL broker services are restarted. Newkeystores are generated when the service starts.

Before using this script, read this KnowledgeBase article forimportant information: KB85043

Recommended

reconfig-network Reconfigures the current network interface (from DHCP tomanual, or from manual to DHCP).

Required

reconfig-ntp Reconfigures the Network Time Protocol servers. No



https://kc.mcafee.com/corporate/index?page=content&id=KB85043

Upgrade to DXL 3.1.0Upgrade from a previous version of Data Exchange Layer.

Before upgrading to Data Exchange Layer 3.1.0, create a snapshot of your virtual machine in theVMware vSphere client. For instructions, see the VMware vSphere documentation.

Use one of these methods to install the 3.1.0 product files:

• In the Software Manager, click McAfee Data Exchange Layer 3.1, then check in the DXL Bundle component. Thisautomatically downloads and installs all necessary DXL extensions and packages.

• To install manually, download the Data Exchange Layer 3.1.0 files from the McAfee productdownload website. Check in the packages to the Master Repository, and the extensions using theExtensions page.

Complete the tasks in the order shown to ensure a successful upgrade.

Tasks

• Upgrade the extensions on page 20Install the Data Exchange Layer extensions to the McAfee ePO server.

• Check in the DXL packages on page 14Check in the Data Exchange Layer packages to the Master Repository on the McAfee ePOserver.

• Upgrade the DXL broker on page 21To upgrade the DXL brokers on the appliance, create a client task that includes a productdeployment task in McAfee ePO.

• Verify the DXL broker upgrade on page 22After you complete the DXL upgrade, verify that the upgrade was successful.

• Upgrade the DXL client on page 22Upgrade the DXL client on each of your managed systems.

• Verify the DXL client upgrade on page 22After you complete the DXL client upgrade, verify that the upgrade was successful.

Upgrade the extensionsInstall the Data Exchange Layer extensions to the McAfee ePO server.

Before you beginThe DXL extension version must be the same or newer than the DXL broker version. Youcannot install an older extension version with a newer broker version.


1 Select Menu | Software | Extensions.

2 Click Install Extension and install the extensions in the following order.

a DXL Broker Management

b DXL Client

c DXL Client Management

2 Installing Data Exchange LayerUpgrade to DXL 3.1.0


Check in the DXL packagesCheck in the Data Exchange Layer packages to the Master Repository on the McAfee ePO server.


1 Select Menu | Master Repository, then click Check In Package.

2 Check in these DXL packages:

• DXL Client

• DXL Broker

• DXL Platform

Upgrade the DXL brokerTo upgrade the DXL brokers on the appliance, create a client task that includes a product deploymenttask in McAfee ePO.


1 Select Menu | Policy | Client Task Catalog.

2 Select McAfee Agent, then click New Task.

3 In the New Task window, select Product Deployment, then click OK.

4 Complete the new deployment information for the DXL broker. For the Target platforms option, makesure that only McAfee Linux OS is selected. Create a task for each package. Packages must be updatedin this order:

If you initially installed the broker appliance using the TIE .ova file, upgrade only the broker (theplatform updates come from Threat Intelligence Exchange). If you installed the broker applianceusing the DXL .ova or .iso file, upgrade both the platform and the broker.

a DXL Platform

b DXL Broker

5 Save the task and run it against the DXL broker.

6 In the System Tree, select a DXL broker name, then click the Properties tab.

7 Click Wake Up Agents and select Force complete policy and task update. It might take a few minutes for thebroker properties to be sent to the appliance.

Log files are located here:

/var/log/dxlbroker‑<version_number>‑<build_number>.log

/var/log/DXLPlatform‑<version_number>‑<build_number>.log

/var/McAfee/dxlbroker/logs/ipe‑start.log

/var/McAfee/dxlbroker/logs/ipe.log

Installing Data Exchange LayerUpgrade to DXL 3.1.0 2


Verify the DXL broker upgradeAfter you complete the DXL upgrade, verify that the upgrade was successful.


1 In the System Tree main page, verify that the updated broker is listed and tagged as DXLBROKER. Ifit isn't, run the Manage DXL Brokers server task.

2 In the System Tree, select the DXL broker name, then click the Products tab. Verify that the updatedDXL broker and version are listed.

a If the DXL broker and version are not listed, click Wake Up Agents.

b Select Force complete policy and task update, then click OK. It might take a few minutes for the brokerproperties to be sent to the appliance.

c If the DXLBROKER tag does not appear in the System Tree, run the Manage DXL Brokers server taskagain.

When the installation is successful, the correct DXL version is displayed in the Products tab, and theinstalled brokers are tagged as DXLBROKER.

Upgrade the DXL clientUpgrade the DXL client on each of your managed systems.


1 Select Menu | Policy | Client Task Catalog.

2 Select McAfee Agent, then click New Task.

3 Select Product Deployment, then click OK.

4 Complete the new deployment information: From the Products and components list, select Data ExchangeLayer Client.

5 Save the task and run it on each of your managed systems. You might have to wait severalminutes for the task to complete, depending on how busy your McAfee ePO server is.

6 In the System Tree, select the DXL client system, then click the Products tab.

7 Click Wake Up Agents and select Force complete policy and task update. It might take a few minutes for theclient properties to be sent to the McAfee ePO server.

Verify the DXL client upgradeAfter you complete the DXL client upgrade, verify that the upgrade was successful.


1 In the System Tree, select a DXL client system, then click the Products tab.

2 Verify that the updated DXL client and version are listed.



3 Select a DXL client system, and from the Actions menu, select DXL | Lookup in DXL. Make sure that theconnection state is Connected.

4 You can also click the McAfee shield icon in the Windows taskbar and look for the McAfee DataExchange Layer heading to see if the broker is connected.

Installing Data Exchange LayerUpgrade to DXL 3.1.0 2


3 Managing Data Exchange Layer

Data Exchange Layer includes a client and brokers that allow bidirectional communication betweenendpoints on a network. You can add and organize brokers as needed for your environment.

Contents Working with brokers The DXL fabric Bridging Data Exchange Layer fabrics Working with certificates Creating DXL queries DXL server tasks

Working with brokersThe Data Exchange Layer brokers can be organized into hubs and service zones to determine howbrokers are accessed.

Brokers are installed on managed systems and communicate messages between security products thatare integrated with the DXL fabric. The network of brokers tracks active clients and dynamicallyadjusts the message routing as needed.

Organizing brokers

Brokers can be organized into hubs that manage how brokers are accessed and provide failoverprotection in a multi-broker environment. If a hub has two brokers, both act simultaneously. If one isunavailable, the other continues to function. You can create as many hubs as needed. A broker,however, can be assigned to only one hub.

You can organize brokers and hubs into service zones to further determine how servers are accessed.For example, if you have multiple Threat Intelligence Exchange servers and brokers in differentgeographical locations, you can create service zones of servers and brokers. Clients in a service zoneaccess servers in that zone first. If those servers are not available, the clients access the servers inother zones. If you don't use service zones, client requests can be sent to any server at any location.

Tools for working with brokers

• Arrange the brokers in the DXL Topology page to organize them the way you want. On the left side ofthe page is a list of brokers and hubs. Drag and drop the brokers and hubs to create the topologyyou need for your environment.

• Add new brokers at any time using the DXL installation wizard. A new broker is automaticallyadded as a child to the top-level broker or hub in the broker topology.

3


• Use the Data Exchange Layer Fabric feature to view the broker topology in your environment. You canquickly see how brokers are connected and managed. You can also see the number of clients thatare connected to a specific broker. This can help you determine if you need more brokers in yourenvironment.

• To increase or decrease the number of clients that can connect to a broker, change the ClientConnection Limit settings in the McAfee DXL Broker Management policy.

Configure DXL policiesDXL policy settings are used by the DXL client on managed systems where the policy is assigned.

The policy settings allow you to determine a specific broker or hub that the DXL client connects to.Policies enable you to control which brokers are accessed for specific managed systems.


1 Select Menu | Policy | Policy Catalog.

2 From the Product list, select McAfee DXL Client.

3 On the My Default line, click Duplicate to create a policy.

4 Enter a name and a brief description for the new policy, then click OK.

5 Complete the fields on the Policy Catalog page. See the online Help for details about each field.

After you create a policy, assign it to managed systems to control how the DXL client on thosesystems communicates with brokers and hubs.

Configure brokersIf you installed DXL brokers on more than one system, you can create a hierarchy of brokers toprovide failover protection if any brokers are unavailable.


1 Select Menu | Configuration | Server Settings | DXL Topology.

2 Select Edit to create hubs, service zones, and assign brokers.

The options on the page depend on whether you selected a broker or a hub. Unassigned brokersare listed below the hubs.

3 Select an item from the Actions menu to create or delete a hub, or to detach a broker from itscurrent hub.

For details about connecting DXL brokers that are managed by different McAfee ePO servers, seeBridging DXL brokers.

3 Managing Data Exchange LayerWorking with brokers


Add brokersYou might want to install more brokers throughout your environment as you add new endpoints andsystems. A new broker is automatically added as a child to the top-level broker or hub in the brokertopology.

Task1 Run the DXL appliance installation, or install the brokers on a Linux system.

You can install brokers on a system already running brokers, or on a different system.

2 If adding brokers using the appliance, on the Service Selection page, select DXL Broker and completethe broker installation.

For details about installing and configuring brokers, see Installing Data Exchange Layer.

Add brokers to a DMZYou can install Data Exchange Layer brokers in a demilitarized zone (DMZ) where publicly accessibleservers are not allowed.

Installing a broker in the DMZ allows remote users to access information from products that use theDXL, such as Threat Intelligence Exchange.

You must have an Agent Handler in the DMZ and your network must be configured to support this.McAfee ePO communicates with the DXL broker to share configuration, policy, and performanceinformation via the agent on the broker.

To use a DXL broker in a DMZ, firewall rules are necessary. Also, the DXL framework must bestructured in a way to allow communication from brokers in the DMZ to brokers in the internalnetwork. The DXL Topology page enables you to create this structure. (To access the DXL Topologypage, select Menu | Configuration | Server Settings | DXL Topology.)

This diagram shows the default ports used.

Managing Data Exchange LayerWorking with brokers 3


The DXL fabricQuickly see all DXL brokers in your environment. You can see their status, how they are connected,clients they support, and other details.

There are several views that allow you to see the broker fabric in different ways:

• The current connection status for all brokers

• Brokers managed by different instances of McAfee ePO

• Brokers by hub

• Brokers by connected clients

For all brokers in the fabric, you can see detailed properties, bridging information, registered services,and more.

View the DXL fabricView all brokers in your environment and see connection, status, and detailed information.

Before you beginThe DXL fabric page is view-only and requires permissions to access it. To set permissionsto access the fabric, use the McAfee DXL Fabric permission set in McAfee ePO.


1 Select Menu | Systems | Data Exchange Layer Fabric.

2 Use the View drop-down list to select how you want the information to be organized.

• To resize the items on the page to zoom in our out, use the mouse wheel.

• To fit all items on the fabric view on the page, double-click the mouse.

3 Use the Label drop-down list to select the type of labels that you want to see.

4 Click a broker to see detailed information about it on the Properties, Bridges, Services, and Extensionstabs.

Extensions are additional features that can be enabled on a DXL broker to add functionality fromother managed products. The Extensions tab shows details about enabled extensions for the broker.

Bridging Data Exchange Layer fabrics Bridging DXL fabrics allows DXL brokers that are managed by different McAfee ePO servers tocommunicate with each other to share clients and services.

For example, if you have Threat Intelligence Exchange and at least one DXL broker managed bymultiple instances of McAfee ePO, you can connect the brokers by bridging their fabrics. You can thensee the files that are running at all locations and share their reputation information.

To connect DXL broker fabrics, you create incoming and outgoing bridges to and from the brokers thatare managed by different McAfee ePO servers.

3 Managing Data Exchange LayerThe DXL fabric


Process for bridging DXL fabrics

Bridging DXL fabrics is a multi-step process to ensure that the DXL brokers that are managed bydifferent McAfee ePO servers can connect and communicate with each other. The bridged systemsmust export and import each other's broker information.

In this example, McAfee ePO 1 has a top-level hub with two brokers. It also has a broker used by theTIE service, where managed endpoints connect. McAfee ePO 2 has a hub with two brokers that areused by the TIE service and managed endpoints. To bridge the brokers so that they can share clientsand services, you create an incoming bridge on McAfee ePO 1 and an outgoing bridge on McAfee ePO2.

Bridging must be completed at the hub level. You cannot create a bridge from an individual broker.

Bridging existing TIE servers and databases

If you have existing TIE servers and databases managed by different McAfee ePO servers, you canbridge them to share reputation information. You can have only one TIE master or one primary TIEdatabase for the DXL fabric. For details, see KnowledgeBase article: KB83896.

Create an outgoing bridgeWhen you designate a DXL hub as an outgoing bridge, brokers in that hub can connect to the brokersthat are managed by a different McAfee ePO server.

Each McAfee ePO server can have only one hub that is designated as an outgoing bridged hub. Andthat hub must be the top-level hub in the DXL topology with at least one broker assigned to it.

Managing Data Exchange LayerBridging Data Exchange Layer fabrics 3





2 On the DXL Topology page, select Edit.

3 From the topology tree, select the top-level hub, and from the Actions menu, select Create OutgoingBridge - Remote ePO Hub.

The hub is highlighted in red (invalid state) until it is bridged with a hub on a remote system.

4 Click Export Local Hub Information to create a file that contains information about the hub's brokers.Save this file in a location that's available to remote systems.

5 On the remote McAfee ePO server where you are bridging to:

a From the Actions menu, select Create Incoming Bridge - Remote ePO Hub.

b Select a hub to bridge to the outgoing hub, then click Import Remote Hub Information and navigate tothe file. This creates an incoming bridge.

c Click Export Local Hub Information to create a file containing information about the brokers.

6 On the local system, click Import Remote Hub Information and navigate to the file created by the remotesystem.

The local and remote hubs now have the broker information necessary to communicate and shareinformation via the DXL framework.

Create an incoming bridgeDesignating a hub as an incoming bridge enables brokers that are managed by a remote McAfee ePOsystem to connect its brokers to local DXL brokers.



2 On the DXL Topology page, click Edit.

3 From the topology tree, select the top-level hub, and from the Actions menu, select Create IncomingBridge - Remote ePO Hub to create an empty hub under the top-level hub.

This is a placeholder for the broker topology information that will come from remote McAfee ePOsystems when they are bridged with the local system. The hub is highlighted in red (invalid state)until the information from a remote system is uploaded.

4 Click Import Remote Hub Information and navigate to the outgoing bridge file created by the remoteMcAfee ePO server.

This file contains information about its brokers. You can import files from several McAfee ePOservers.

3 Managing Data Exchange LayerBridging Data Exchange Layer fabrics


5 Click Export Local Hub Information to create a file that contains information about the brokers in the localhub. The remote system (outgoing bridge) imports this file.

Both hubs now have the broker information necessary to communicate and share information viathe DXL fabric.

6 To complete the bridge, run the Send DXL State Event server task on both the incoming and outgoingsystems.

Working with certificatesDXL uses certificates to provide integrity and authentication when sending messages over the DXLfabric.

Importing client certificatesWhen using a third-party certificate with DXL clients, you must import a Certificate Authority, orself-signed certificate, for those clients.

The DXL brokers use certificates to recognize and validate clients. After a certificate is created, importit into McAfee ePO.

Import a certificateImport third-party client certificates into McAfee ePO to validate the clients for use with DXL.


1 Select Menu | Configuration | Server Settings | DXL Certificates.

2 On the Client Certificates page, click Edit.

3 Click Import to browse to the certificate, then click OK.

The certificate is added to the Client Certificates list used by DXL.

Create a list of certificates used by DXLCreate a file that lists the certificates used by DXL clients.

You can create a list of the broker Certificate Authorities currently in use, or a list of the managed DXLbrokers that show broker information.


1 Select Menu | Configuration | Server Settings | DXL Certificates.

2 On the Client Certificates page, click Edit.

Managing Data Exchange LayerWorking with certificates 3


3 Create a file:

• For a list of broker Certificate Authorities (CA) currently in use, click Export All next to BrokerCertificates. The file created is brokercert.crt. It contains all broker Certificate Authorityinformation in PEM (Privacy-enhanced Electronic Mail) format.

• For a list of managed brokers, click Export All next to Broker List. The file created is brokerlist.properties with broker information shown in the following format: broker guid=brokerguid;port;host name;ipaddress. This list can be passed to a client when connecting to theDXL broker fabric.

Migrating certificatesKeep certificates up to date with the latest hash algorithm.

Many organizations are deprecating TLS/SSL certificates signed by an older SHA algorithm. The latestversion of DXL installs the new hash algorithm certificates. If you have upgraded DXL from an olderversion, you can migrate DXL certificates to the latest hash algorithm.

To migrate certificates to the latest hash algorithm:

• All DXL brokers and DXL extensions must be at version 3.1.0 or later. This includes any bridgedbrokers to multiple McAfee ePO instances.

• The DXL fabric should be in a stable and connected state before migrating certificates. Use theData Exchange Layer Fabric page to verify that all brokers are connected and communicating. Donot add or delete brokers from the DXL fabric until the migration is complete.

• In a bridged environment, migrate the certificates on each instance of McAfee ePO independentlyto minimize changes in the environment. Complete the migration on one instance of McAfee ePObefore beginning a migration on a difference instance.

Migrate certificates to a newer hash algorithmMigrate your existing certificates to more secure algorithm certificates or regenerate them toremediate vulnerabilities in your DXL environment.

Use the Certificate Manager in McAfee ePO to migrate certificates. It allows you to:

• Migrate certificates that are signed by an older signing algorithm to the new algorithm such asSHA-1 to SHA256.

• Regenerate your certificates when your existing certificates are compromised due to vulnerabilitiesin your environment.

• Migrate or regenerate certificates for managed products that are derived from McAfee ePO root CA.

For details about migrating certificates using the Certificate Manager, see the McAfee ePO ProductGuide.

Troubleshoot the certificate migrationIf you experience issues with the DXL client or brokers, review these issues and solutions.

If you experience issues, check the log file for details. The log files are on the McAfee ePO server at\Program Files\McAfee\ePolicy Orchestrator\Server\Logs.

The brokers no longer bridge after the migration

The brokers might not have regenerated. Force an Agent Wake-up in McAfee ePO with full propertieson the broker and wait at least 15 minutes. Check to see if the broker is connected.

The DXL Java client no longer connects after the migration

3 Managing Data Exchange LayerWorking with certificates


The brokers might not have regenerated. Force an Agent Wake-up in McAfee ePO with full propertieson the broker and wait at least 15 minutes. Check to see if the broker is connected.

If the client is still not connected, delete the dxlClient.jks KeyStore file and restart the servicecontaining the DXL client. The location of the KeyStore depends on the service running the client.

The DXL C++ client no longer connects after the migration

The DXL C++ client staggers certificate regeneration over a 24-hour period. If the client disconnectsduring this process, force a certificate regeneration (available on Windows systems only):

1 Disable the Self Protection option for the system in the DXL client policy.

2 Delete the certificate files located in %PROGRAMDATA%\McAfee\Data_Exchange_Layer(DxlBrokerCertChain.pem, DxlClientCert.pem, and DxlPrivateKey.pem).

3 Restart the DXL Service.

4 Enable the Self Protection option in the DXL client policy.

McAfee ePO bridged brokers no longer connect after the migration

In a bridged broker environment, the new certificates for the migrating McAfee ePO instance mighthave already been sent to the bridged McAfee ePO system but not delivered to the individual brokersin the policy. On the remote McAfee ePO system, force an Agent Wake-up to deliver the newcertificates and wait at least 15 minutes.

If the DXL fabrics are still unable to bridge, re-export the information from the migrating McAfee ePOsystem into the remote McAfee ePO system to deliver the new certificate information. After importingthe .zip file into the remote McAfee ePO system, force an Agent Wake-up and wait for at least 15minutes.

The DXL client in McAfee ePO is no longer connected after the migration

See the log files to verify that the errors are certificate-related. Delete the DXL client KeyStore at\Program Files\McAfee\ePolicy Orchestrator\Server\keystore\dxlClient.keystore. The DXLclient will detect this and regenerate the KeyStore.

Data Exchange Layer certificate authorizationPython-based DXL clients are identified by their certificates. Client-specific certificates and/orCertificate Authorities (CAs) can be used to limit which clients can send and receive messages onparticular topics.

A client certificate can also be used to establish a restriction for a single client, whereas a certificateauthority can be used to establish a restriction for all clients that are signed by that particularauthority.

Managing Data Exchange LayerWorking with certificates 3


Examples for using certificate authorization

• Restricting which clients can provide DXL services. When providing a service, for example, ThreatIntelligence Exchange, a restriction can be added to ensure that only clients that are providing theservice are able to receive request messages on the service-related topics. Without this protection,other clients could masquerade as the service.

• Restricting which clients can invoke DXL services. You can limit the clients that can send messageson the service-related topics. For example, you can limit the clients that initiate McAfee

®

ActiveResponse queries using topic authorization.

• Restricting which clients can send event messages. For example, only authorized clients should beable to inform that a TIE reputation has changed by sending a DXL event.

Using OpenDXL to enable certificate authorization

Use the Open Data Exchange Layer (OpenDXL) Python Client SDK to authorize third-party certificates.For details about the SDK, see this Knowledge Base article: KB87918.

Creating DXL queriesYou can create queries in McAfee ePO to see property information for DXL broker systems, clientsystems, and SGX systems.

Use the Queries and Reports feature in McAfee ePO to create managed systems queries. You can thenselect column headings from the DXL Broker Systems and DXL Client Systems categories to include inthe query. For details, see the McAfee ePolicy Orchestrator Product Guide.

DXL server tasksServer tasks are configurable actions that run on McAfee ePO at scheduled times or intervals.

Use server tasks to automate repetitive tasks. Each task has actions and can be scheduled to occur atspecific intervals. For details, see the McAfee ePolicy Orchestrator Product Guide.

DXL includes these server tasks.

Server task Description

Manage DXL Brokers Assigns the DXLBROKER tag to all fully configured DXL brokers and updates theDXL broker policies.Use this task if you install a new broker and want to immediately identify it inthe DXL fabric.

Send DXL State Event Sends the current DXL State Event to the DXL fabric.Use this task when you make changes to bridged brokers to incorporate thosechanges on the DXL fabric page.

Update DXL ClientStatus

Updates the DXL Client connection status for all systems where DXL is installed.It runs once a day by default.

3 Managing Data Exchange LayerCreating DXL queries



Index

Aabout this guide 5

Bbridging Data Exchange Layer brokers 28

brokers for Data Exchange Layerabout 7adding 27

adding brokers to a DMZ 27

bridging 29, 30

broker status 28

configuring policies 26

connecting with multiple McAfee ePO servers 28

creating service zones 26

determining which broker to use 26

extensions 8fabric 25, 28

how brokers are connected 28

organizing 25

tagged in McAfee ePO 18

view broker properties 34

Ccertificates

authorizing third party 33

Certificate Manager in McAfee ePO 32

create a list used by DXL 31

importing client certificates 31

log files 32

migrating to a newer hash algorithm 32

OpenDXL SDK 33

troubleshoot a migration 32

Cloud Bridge 8cloud databus 8configuration

brokers 25

determining which broker to use 26

using scripts 19

connecting Data Exchange Layer broker fabrics 28

conventions and icons used in this guide 5

DData Exchange Layer

deploying 18

view client and broker properties 34

deploymentData Exchange Layer client 18

DMZadding Data Exchange Layer brokers 27

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

DXL certificates 33

DXL Cloud Databus 8

Eexport client certificates 31

extensions 8, 28

Ffabric

about 7, 28

extensions status 28

viewing 28

failover protection, organizing brokers 25

Hhubs

about 7bridging 29, 30

creating 25

determining which hub to use 26

organizing brokers 25

Iimport client certificates 31

installationbrokers 15

brokers on a Linux system 16

downloading software 14

first-time installation 13

log files for troubleshooting 19


installation (continued)requirements 11

troubleshooting 19

upgrading from a previous version 20

verify the installation 18

Intel Software Guard Extensions 8verify SGX status on a machine 19

LLinux systems

installing DXL brokers 16

list client certificates 31

log filestroubleshooting certification migration 32

troubleshooting the installation 19

MMcAfee Agent

installation requirements 11

McAfee Cloud Bridge 8McAfee ePO and Data Exchange Layer 28

McAfee ServicePortal, accessing 6migrating certificates 32

log files 32

troubleshoot a migration 32

Nnetwork overview 12

OOpenDXL SDK 33

operating systems, supported 11

Ppolicies, configuring for Data Exchange Layer 26

ports used 12

protocols used 12

Qquery Data Exchange Layer properties 34

Rreconfiguration using scripts 19

Sscripts

reconfiguring the installation 19

Server tasks 34

service zonesabout 7creating 26

organizing brokers 25

ServicePortal, finding product documentation 6SGX 8

verify SGX status on a machine 19

viewing properties for SGX systems 34

Software Guard Extensions 8supported operating systems 11

system requirements 11

Ttechnical support, finding product information 6third-party clients

certificate authority 31

import certificate authority 31

topology, broker 28

troubleshootingcertificate hash migration 32

installation 19

Uupgrade DXL from a previous version 20

using Data Exchange Layer with multiple McAfee ePO servers 28

Vverify the installation 18

SGX status 19

VMware vSpheredeploying the OVF template 15

Index


For use with McAfee ePolicy Orchestrator - … Important advice to protect your computer system,...

Documents

Transcript of For use with McAfee ePolicy Orchestrator - … Important advice to protect your computer system,...